When Software Vendors Are $%@& Stupid

My company has hired a certain large service provider to host our payroll software. The provider has a number of different websites that staff use to keep track of work hours and vacation and sick time. Our payroll administrator also uses one of their websites to process payroll. The payroll website uses certificates for security and also uses 4 separate ActiveX controls that allow the website to present reports and charts and stuff like that.

The ActiveX controls require the user to be a local administrator on their PC. The payroll website at the same time also requires certain settings in Internet Explorer to be set to either wierd values or to be less secure than is best practice.

When I phone and talk to technical people at the vendor, they tell me that the settings and the need for local admin is a requirement and there is no work around or other option. Oh and it's all only compatible with IE8 and no other browser of any version or brand.

I have caved in and allowed the payroll staff to be local admins because if they can't process payroll nobody gets paid. Kinda important.

My question to Ars is, what recourse do I have? Why do companies that have shite software and shite websites still manage to get away with this stuff? What do you guys do in similar situations?

My question to Ars is, what recourse do I have? Why do companies that have shite software and shite websites still manage to get away with this stuff? What do you guys do in similar situations?

1) If you're under contract, have a large investment in the software, or it's not in your power to create change, your recourse is to bend over and take it. Many people don't evaluate software down to the client level beyond software/hardware requirements.

2) Because usually it's much easier to have the client make simple changes than to re-engineer the sofware - there are obvious costs to the company.

I think I know which payroll vendor you are taling about as I had to grant admin rights to the finance dept last week for the same reason. Would love to know if there is actually a way round it

I don't have a problem with putting the website URL into the trusted sites list. I don't have a problem with allowing popups from the website either. I do have a problem with check marking "Allow software to run if the signature is invalid". I also have a when they say to set the temp internet folder chache size to 256MB. My work around is that whenever one of my users needs a "special" setup to use their crappy service, I simply call them and say "connect remotely - a user needs you to make it work". I have transferred the agrevation from myself to tech support at the vendor. They can be inconvenienced, not me.

Quote:

1) If you're under contract, have a large investment in the software, or it's not in your power to create change, your recourse is to bend over and take it. Many people don't evaluate software down to the client level beyond software/hardware requirements.

2) Because usually it's much easier to have the client make simple changes than to re-engineer the sofware - there are obvious costs to the company.

I am bending over the table right now because as a relatively small customer, it appears I have no influence on the software provider. I am displaying my displeasure because I would expect software that needs to have security built-in ( it being payroll and all ) that the developers would be more aware of the security consequences of being a local admin.

What really grinds my gears is that my company has a single developer that managed to make a very user friendly and secure website that is compatible with all the major web browsers AND doesn't need Flash or Java or ActiveX AND that website is where we get 60% of our revenue. Why can a smallish company with 1 full time on premises developer make a great website and a large company cannot? Why are we smarter and more capable than a company with a hundred times the resources?

What really grinds my gears is that my company has a single developer that managed to make a very user friendly and secure website that is compatible with all the major web browsers AND doesn't need Flash or Java or ActiveX AND that website is where we get 60% of our revenue. Why can a smallish company with 1 full time on premises developer make a great website and a large company cannot? Why are we smarter and more capable than a company with a hundred times the resources?

Welcome to the real world Sorry, it boggles the mind sometimes..... and i can relate to your pain

I think I know which payroll vendor you are taling about as I had to grant admin rights to the finance dept last week for the same reason. Would love to know if there is actually a way round it

Ayup.

This same software was so ridiculously convoluted and unusable, my team stopped claiming standby pay. It doesn't help that the internal "admin" for this piece of crap is a payroll person with somewhere between zero and none actual technical skills. She can't even make the default pay periods in the app match up to our actual pay periods (this has been going on for the last 2.5 years, with no end in sight).

Luckily, about 6 months ago I got all my guys off of the on-call rotation, so now I don't have to worry about it.

My solution was to put all the crap settings into Internet Explorer, then set firefox to be the default browser.

Still get HR bitching about having to copy and paste links (from the vendor) into IE to get them to go, but it minimizes the footprint of those security holes. We have a firewall and filtering proxy as well, but some random 0-day exploit worries me.

The overall solution is to keep an iron grip on any and all IT related requests, which is very difficult with a heavy workload, but at the end of the day you just have to do it. Letting non-technical people make the final decision on a product that affects your infrastructure is not the way to go. And if a vendor isn't willing to provide the resources your need to do a test rollout, they aren't worth dealing with.

FWIW, Kronos is not too bad, though I really wish it would just use HTML/Javascript instead of Java. And whats up with not having a split role for the admin? I don't want to see peoples social security numbers and pay rate, just tweak server settings and reset passwords!

Have you tried using process monitor to track down where a lack of permissions causes a problem? It could take a while, but I've had success with it before against the old "you need to be an admin" crap.

just curious, but why no option about moving to another provider? Its not like this one is the only one on the block and unless you are getting a great deal for the software, I"m sure you could make a case to compare the cost of the transition vs. the cost of a 0-day exploit network takeover because of the IE settings and local admin users.

just curious, but why no option about moving to another provider? Its not like this one is the only one on the block and unless you are getting a great deal for the software, I"m sure you could make a case to compare the cost of the transition vs. the cost of a 0-day exploit network takeover because of the IE settings and local admin users.

Been there did that got rejected. Something about management seeing how bad the vendor is but not wanting to flip flop to someone else and look bad in the process. So yes, people are stupid, news at 11.

@Scorp508

The setting was the default of 20MB and they wanted 256MB

@Vinc-RA

What you suggest is kinda what we are doing since it is only one person doing the payroll work. The annoying part is that all managers need to access the site for vacation and sick day tracking purposes. So there are about 15 people that need to use the stupid site. It's not really feasible to have a single PC that managers walk up to and do that sort of work.

@wyacrr

It's not a program, rather it is a website with ActiveX controls that run within the browser process. If it were a traditional program then yes I would use adjust the permissions.

Thank you for everyone's suggestions but there isn't much I can do at this point because I don't have any influence on the vendor to stop being stupid and I don't have the authority or right to demand management dump the vendor. Deep breaths, keep calm and carry on.

I have caved in and allowed the payroll staff to be local admins because if they can't process payroll nobody gets paid. Kinda important.

No, you didn't cave. You provided support for a software service that is necessary for the running of the company you work for. You made it work. Yes, I agree that the support you gave and the requirements of the software isn't optimal, but that's life in the IT world.

Quote:

My question to Ars is, what recourse do I have? Why do companies that have shite software and shite websites still manage to get away with this stuff? What do you guys do in similar situations?

You have a few choices:1. Deal with it and stop taking it personally that everything isn't as secure as you'd like it. It's as secure as it can be given the circumstances, right? 2. Find a different vendor for this software and do a better job of vetting it this time.3. Work with the vendor to ask them to make security changes to the software to allow it to run in a more secure way. They might not have a workaround or solution today, but if you complain loudly enough and get other people on your side you can put pressure on them to make it more secure in a future release.

We have a site or two that does something similar, only it's not our payroll system.

What we did was modify group policy to allow the sites to install active X controls without requiring the users to be admins.

Usually though, we can badger/cajole the vendors into giving us an MSI or EXE that contains the controls, so we can install them via SCCM.

Only a couple of vendors have controls/apps so badly written that we have to make users local admins, but since they're in finance, we don't have much choice.

Does anyone hear have to deal with a financial department so deathly afraid to upgrade or replace their apps that they sweat or twitch any time you even mention that their software was old when XP was new, and it's frankly a miracle we've managed to get it running on Win7? Asides from being able to induce nervous sweating, it's not fun at all.

I know they deal with the money, and nobody get's paid if they're stuff goes down, but seriously. Some of that stuff is old enough to still have 8.3 restrictions.

Even better today, I setup a VM to run the collection software for the Time & Attendance card reader. I was told by the vendor the VM needs to stay logged in at all times and the screensaver needs to be disabled for the software to run correctly! I of course had a dig at them why the software can't run as a service as we are not back in 1998...

Even better today, I setup a VM to run the collection software for the Time & Attendance card reader. I was told by the vendor the VM needs to stay logged in at all times and the screensaver needs to be disabled for the software to run correctly! I of course had a dig at them why the software can't run as a service as we are not back in 1998...

Right and this is the core of the problem. You told them to not be lazy and stupid and that they should conform to current day programming best practices. And I assume they just ignored you, right? This is the core of the problem because as a customer all we can do is take our business elsewhere or be a jerk and withhold payment until the vendor makes a change. Taking our business to another vendor is a powerful tactic for the customer, but if it costs more to dump the bad vendor and go with another, then what do you do?

Maybe the problem is that too many companies are out there selling technology created by people that don't know business customers need said technology to work.

Even better today, I setup a VM to run the collection software for the Time & Attendance card reader. I was told by the vendor the VM needs to stay logged in at all times and the screensaver needs to be disabled for the software to run correctly! I of course had a dig at them why the software can't run as a service as we are not back in 1998...

I've got an inventory management server application that runs out of handles when run as a service, so it has to be started as a regular application. Bonus points given when it's the active window because if you happen to hit Alt+F4 to close what you thought was another active window, the whole server app closes and everyone gets kicked out. Confirming you want to close a server application with live connected clients? Why bother? It also has an add on module for credit cards that is run as two separate applications that you start after you start the server app. These cannot be run as services ever.

I don't know what the deal is with payroll software companies... Ultimate Software (they make UltiPro) claimed that their software would not run At All on an x64 version of Windows. They *required* us to use Win2k3R2 x86, along with a 32-bit installation of SQL 2005, to support their crap. I put it all in VMs to get them out of my hair... (We are still a mostly-physical shop.)

I dont' know the scale of your companies payrolls, but we use qqest's timeforce and it used to run on a win2k server w/ sql2k and now its on a 2k8r2 VM running just fine. We are only ~50 people so I can't say how it scales, but everything is done through a webpage and we didn't have to make any crazy security compromize.

We have a server 2003 VM that handles all of our copier print tracking, and if it gets rebooted you need to log into it on the console in VMWare (Not a RDP console session!!!!!!) and as soon as you log in everything springs to life, and you have to leave it that way.

We have a server 2003 VM that handles all of our copier print tracking, and if it gets rebooted you need to log into it on the console in VMWare (Not a RDP console session!!!!!!) and as soon as you log in everything springs to life, and you have to leave it that way.

Ugh.

Reminds me of the Samsung software for the info screens we have in the building, I think it's MagicInfo. That stuff is such a crap...

We have a server 2003 VM that handles all of our copier print tracking, and if it gets rebooted you need to log into it on the console in VMWare (Not a RDP console session!!!!!!) and as soon as you log in everything springs to life, and you have to leave it that way.

Ugh.

I used to have a customer with a license compliance application for their EHR that had to do the same thing. As an added bonus, it was an old Dell server with no built-in OOBM, it was running Windows 2000 Server (no /console option there), and the customer was unwilling to purchase a DRAC or IP KVM. If someone logged in via RDP before the local console logged in, the application would load in the RDP session (and die when the RDP session terminated).

Ugh.

After numerous outages, the customer finally agreed to allow the server to log in automatically (as the domain admin ), and a startup script would immediately lock the screen. It still wasn't great, but at least it reduced the operational disruption.

On modern versions of Windows, the task scheduler has an option to start a program as soon as Windows starts, without needing any type of interactive login. I use this on my personal desktop to run Speedfan automatically, as my attempts to run it as a service weren't successful. I wonder if Server 2003 has a similar option?

On modern versions of Windows, the task scheduler has an option to start a program as soon as Windows starts, without needing any type of interactive login. I use this on my personal desktop to run Speedfan automatically, as my attempts to run it as a service weren't successful. I wonder if Server 2003 has a similar option?

Loving that option, too. In general the task scheduling stuff has become a mighty tool since Vista.

For 2003, though, I can only think of one of the various tools to run normal programs as a service. Or auto login and then rapidly locking the screen again, which still leaves this at a clutch level.

I had one vendor come back and say that the company needed to have everyone in the pharmacy be given admin rights on the PCs for their software to work.

I ran Process Monitor, and identified 7-8 registry keys and subfolders that they needed Write access to. I gave them only those permissions, and the program worked without issue. The company was actually pretty cool about supporting that configuration, so it all worked out in the end.

I had one vendor come back and say that the company needed to have everyone in the pharmacy be given admin rights on the PCs for their software to work.

I ran Process Monitor, and identified 7-8 registry keys and subfolders that they needed Write access to. I gave them only those permissions, and the program worked without issue. The company was actually pretty cool about supporting that configuration, so it all worked out in the end.

What irritates me to no end is when you do something like this to be a "hero" and make their crappy software work, only to call them about some unrelated problem and have them tell you that they can't help you because you aren't following their usage guidelines.

Also, Kronos. Their software does not handle Java updates well, and like I said above, if you have a problem they check your Java level first thing to get out of helping you (seemingly). We were running 3 patch levels behind in the days of Java 6_24 when those zero days started coming out every other day (again, seemingly).

Ugh and our EMR app! If we had a printing problem, they only supported HP Laserjet 4000 series printers. If you couldn't reproduce it using that, then it was your problem.

Where we found success was convincing departments to come to IT FIRST, tell us what they wanted to accomplish, and have us pre-screen options for them. Our criteria included things like whether it was supported on a terminal server, whether it ran on Server 2008 R2 (and SQL 2008 R2 if necessary), and whether it used fricking java. We hate Java.

Outdated applications, specific versions of Java/Jinitiator, admin rights up the wahzoo, pharmacy applications that don't handle daylight savings times and use the PC clock rather than the server clock, hybrid .net/wpf applications that leak RAM like a colander etc etc, gaps in the firewall to make external web apps work, interfaces that go down every day for no reason iPads with no purpose.